Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mass SQL Injection Attack Hits Sites Running IIS

Posted by Soulskill on from the oft-repeated-headlines dept.

Trailrunner7 writes "There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now. The attack, which researchers first noticed earlier this week, already has affected a few high-profile sites, including those belonging to The Wall Street Journal and The Jerusalem Post. Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites."

5 of 288 comments (clear)

  1. Re:Wrong tag by Michael+Kristopeit · · Score: 4, Insightful

    it is due to sql... if the databases and website frameworks forced a different query language that forced variable parametrization, there wouldn't be any injection risk.

  2. Re:Wrong tag by BitterOak · · Score: 3, Insightful

    it is due to sql... if the databases and website frameworks forced a different query language that forced variable parametrization, there wouldn't be any injection risk.

    Mod parent up. According to the GP "it is wrong to picture this as a lack or shortcoming of sql. sql is doing what query it is given to it. nothing else." That's precisely the problem! Most security vulnerabilities are the result of software doing exactly what it is told to do!

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  3. So... it is really due to CPU's? Re:Wrong tag by Fubari · · Score: 3, Insightful

    it is due to sql...

    Huh? It happened because they use sql?
    Following that line of thought,
    isn't it really due to the use
    of CPU's in those servers?

  4. Re:Poor programing practices, NOT IIS or SQL at fa by Galestar · · Score: 4, Insightful

    Here's a more accurate version: Anyone writing code that doesn't sanitize input needs to find a new line of work.

    Fixed that for you

    --
    AccountKiller
  5. Re:If it is platform independent by Dragonslicer · · Score: 4, Insightful

    SQL injection is completely independent of web server, programming language, and database system. An idiot can write vulnerable code in any language, using any database system, and run it on any web server. My guess about why this is only targeting IIS is that the attack is against some specific ASP.NET code, so the vulnerability isn't in IIS, but the vulnerable code only runs on IIS.